Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

People who like this

1 Answer

In general @wuming79 a lot of the searches in the ransomware app are designed for detection and early containment. Whether or not you can use them to "stop" the ransomware depends entirely on the variant of ransomware. I would argue that the best defense against ransomware is user education, combined with a behavior-detecting technology on the endpoint that can observe what's going on and actually take action.

From a Splunk perspective, we have found time and again that many variants of ransomware do not "immediately" take action. Take, for example, the NotPetya wiper, which puts into place a scheduled task that kicks off a reboot routine an hour after infection. Well, if you're regularly searching for unusual scheduled tasks that shouldn't be there on your endpoints, or for the Windows event that tells you that a scheduled task has been added and a further search (which could be automated) also tells you it was an unusual executable that did it, you can take action. Actions might be taken via a Splunk modular alert, old-style alert script, Adaptive Response, or manual intervention. Actions might include shutting down the host and notifying a SOC, modifying a network config to isolate the endpoint to protect from lateral movement or network share encryption, etc.

Certainly some ransomware immediately does damage seconds after it is executed. While Splunk is a great platform to find these executions after the fact and to help you bolster your defenses to protect against that variant in the future, it isn't going to stop the infection in those cases.